<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div apple-content-edited="true">Hi,</div><div apple-content-edited="true"><br></div><div apple-content-edited="true">The main purpose of threat modelling is systematically finding the security weakness / threats in the system. In the process, there will be some bug reports related to the implementation,</div><div apple-content-edited="true">however IMHO the main contribution should be around design and deployment weakness, which by way the takes longer time to fix or has trade offs related with it ( e.g., the bearer token</div><div apple-content-edited="true">issue, adminess issues). Now, some of these are already documented as part of the OSSN, and in the threat modelling we are proactively trying to find new ones in a broader scale. </div><div apple-content-edited="true">The other objective is to document the systematic view and all possible threats per project in a single document / place. IMHO, it should a good fit in the documentation project or </div><div apple-content-edited="true">security guide / Annex of the security guide. And the issue about format changing (from .doc, .xls), that is something we will gradually perform - should be small amount of manual job -</div><div apple-content-edited="true"> if we agreed on the dissemination platform.</div><div apple-content-edited="true"><br></div><div apple-content-edited="true">The plan to use Gerrit is to add flow to the process and add peer review obviously. From another angle, i was thinking, is it a good idea to merge the work with Security Guides work.</div><div apple-content-edited="true">In that case, we can follow the same process ?</div><div apple-content-edited="true"><br></div><div apple-content-edited="true">Thanks,</div><div apple-content-edited="true">Shohel</div><div apple-content-edited="true"><br></div>
<br><div><div>On 11 Apr 2014, at 19:06, Bryan D. Payne <<a href="mailto:bdpayne@acm.org">bdpayne@acm.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><div dir="ltr">This doesn't strike me as being as good of a fit for the documentation project. I say this because the output isn't a long lived document that people will reference. The findings seem to me to be of high value initially, and then (hopefully) things get fixed and then I don't see people referencing the findings much any more. Please correct me if I'm thinking of this in the wrong light.<div>
<br></div><div>Could you describe a bit more about how you would make of use gerrit here? Is this just to get some peer review on the findings before presenting them to the projects as bug reports?</div><div><br></div><div>
-bryan</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 11, 2014 at 1:13 AM, Abu Shohel Ahmed <span dir="ltr"><<a href="mailto:ahmed.shohel@ericsson.com" target="_blank">ahmed.shohel@ericsson.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hi,<div><br></div><div>Yesterday’s OSSG meeting, we are discussing about Threat Modelling process and more specifically gating and publishing process.</div>
<div>Currently, the work is hosted in the Security Wiki page:</div><div><br></div><div><a href="https://wiki.openstack.org/wiki/Security/Threat_Analysis" target="_blank">https://wiki.openstack.org/wiki/Security/Threat_Analysis</a></div>
<div><br></div><div>and some of the contents are in </div><div><a href="https://github.com/shohel02/OpenStack_Threat_Modelling.git" target="_blank">https://github.com/shohel02/OpenStack_Threat_Modelling.git</a></div><div>
<br></div><div>Now, that more people are getting interested and there is a need to have engagement and dissemination strategy.</div><div>We are thinking of some common GIT repo with Gerit control, similar to OSSN currently has. Another aspect is, </div>
<div>can it be part of the documentation project? We think it is well fitted in that category. What do you guys think ?</div><div><br></div><div>Thanks,</div><div>Shohel</div><div> </div></div><br>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></body></html>